diff --git a/secure-ssh.md b/secure-ssh.md
new file mode 100644
index 0000000..80087e8
--- /dev/null
+++ b/secure-ssh.md
@@ -0,0 +1,32 @@
+# Secure SSH
+
+## Disable root
+
+Edit `/etc/ssh/sshd_config` and set `PermitRootLogin no` or if you really need root access, e.g. for backups set `PermitRootLogin forced-commands-only`.
+
+## Use Public Key Authentication
+
+Create a new key pair on your client:
+
+```
+ssh-keygen -b 4096
+```
+
+Remember the path and password you choosed. Append the created public key from `/<your-path>/<key-name>.pub` on your client in the `/home/<user>/.ssh/authorized_keys`.
+
+If you changed the path you can add the following to your `~/.ssh/config` file on your client:
+
+```
+Host <your-host-or-ip>
+        User <the-server-username> # optional
+        IdentityFile /<your-path>/<key-name>
+```
+
+Now edit `/etc/ssh/sshd_config` on your server and set the following values:
+
+```
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+
+PasswordAuthentication no
+```